Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Package dependency Azure.Identity with high vulnerability #2195

Closed
pampua84 opened this issue Oct 24, 2023 · 4 comments
Closed

Package dependency Azure.Identity with high vulnerability #2195

pampua84 opened this issue Oct 24, 2023 · 4 comments
Labels
2️⃣ Duplicate Issue/PR that is a duplicate and already exists.

Comments

@pampua84
Copy link

Describe the bug

Hi,
as per the description in the object, when the package is installed, it brings as a dependency version 1.7.0 of Azure.Identity which has a strong vulnerability up to version 1.10.2 , as also reported in the link:

https://github.com/advisories/GHSA-5mfx-4wcx-rv27

and also on nuget.org:

https://www.nuget.org/packages/Azure.Identity/1.7.0

image

If you update the Azure.Identity library to the latest version, are there any breaking changes?

@ErikEJ
Copy link
Contributor

ErikEJ commented Oct 24, 2023

@pampua84 What have you tried? In addition, this will be fixed in 5.2 preview 4

@pampua84
Copy link
Author

Hi @ErikEJ,
I was actually running a vulnerability test for packages installed on a project via the command:

dotnet list package --vulnerable --include-transitive

I see that Microsoft.Data.SqlClient 5.1.1 supports any version later than >= 1.7.0, of Azure.Identity, so updating it shouldn't cause any problems. Right?

@ErikEJ
Copy link
Contributor

ErikEJ commented Oct 24, 2023

Correct

@JRahnama JRahnama added the 2️⃣ Duplicate Issue/PR that is a duplicate and already exists. label Oct 24, 2023
@JRahnama
Copy link
Contributor

Closing as a duplicate of #2181.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2️⃣ Duplicate Issue/PR that is a duplicate and already exists.
Projects
None yet
Development

No branches or pull requests

3 participants